ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041050
David F. Ferraiolo, S. Gavrila, Gopi Katwala, Joshua D. Roberts
{"title":"Imposing Fine-grain Next Generation Access Control over Database Queries","authors":"David F. Ferraiolo, S. Gavrila, Gopi Katwala, Joshua D. Roberts","doi":"10.1145/3041048.3041050","DOIUrl":"https://doi.org/10.1145/3041048.3041050","url":null,"abstract":"In this paper, we describe a system that leverages ANSI/INCITS Next Generation Access Control (NGAC) standard called Next-generation Database Access Control (NDAC) for accessing data in tables, rows, and columns in existing RDBMS products. NDAC imposes access control at the data level, eliminating the need for implementing and managing access control in applications and/or through the use of proprietary RDBMS mechanisms. Consequently, the same policies can protect multiple databases from queries sent from multiple applications. Furthermore, NDAC not only provides control down to the field level, but to varying fields of select rows. NDAC is unique in achieving this granularity of control without the use and coordination of multiple protection mechanisms. Operationally, users issue wide sweeping queries, and NDAC allows access to the optimal amount of data permissible for the user. The method includes an Access Manager for trapping and enforcing policy over SQL queries issued by applications as well as a Translator for converting SQL statements to NGAC inputs and converting NGAC authorization responses to either an access Deny or one or more permitted SQL statements.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133078734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041055
S. Mukherjee, I. Ray, I. Ray, H. Shirazi, Toan C Ong, M. Kahn
{"title":"Attribute Based Access Control for Healthcare Resources","authors":"S. Mukherjee, I. Ray, I. Ray, H. Shirazi, Toan C Ong, M. Kahn","doi":"10.1145/3041048.3041055","DOIUrl":"https://doi.org/10.1145/3041048.3041055","url":null,"abstract":"Fast Health Interoperability Services (FHIR) is the most recent in the line of standards for healthcare resources. FHIR represents different types of medical artifacts as resources and also provides recommendations for their authorized disclosure using web-based protocols including O-Auth and OpenId Connect and also defines security labels. In most cases, Role Based Access Control (RBAC) is used to secure access to FHIR resources. We provide an alternative approach based on Attribute Based Access Control (ABAC) that allows attributes of subjects and objects to take part in authorization decision. Our system allows various stakeholders to define policies governing the release of healthcare data. It also authenticates the end user requesting access. Our system acts as a middle-layer between the end-user and the FHIR server. Our system provides efficient release of individual and batch resources both during normal operations and also during emergencies. We also provide an implementation that demonstrates the feasibility of our approach.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127067498","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041052
P. Biswas, R. Sandhu, R. Krishnan
{"title":"Attribute Transformation for Attribute-Based Access Control","authors":"P. Biswas, R. Sandhu, R. Krishnan","doi":"10.1145/3041048.3041052","DOIUrl":"https://doi.org/10.1145/3041048.3041052","url":null,"abstract":"In this paper, we introduce the concept of transforming attribute-value assignments from one set to another set. We specify two types of transformations---attribute reduction and attribute expansion. We distinguish policy attributes from non-policy attributes in that policy attributes are used in authorization policies whereas the latter are not. Attribute reduction is a process of contracting a large set of assignments of non-policy attributes into a possibly smaller set of policy attribute-value assignments. This process is useful for abstracting attributes that are too specific for particular types of objects or users, designing modular authorization policies, and modeling hierarchical policies. On the other hand, attribute expansion is a process of performing a large set of attribute-value assignments to users or objects from a possibly smaller set of assignments. We define a language for specifying mapping for the transformation process. We also identify and discuss various issues that stem from the transformation process.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133885059","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041054
Ronald C. Turner
{"title":"Proposed Model for Natural Language ABAC Authoring","authors":"Ronald C. Turner","doi":"10.1145/3041048.3041054","DOIUrl":"https://doi.org/10.1145/3041048.3041054","url":null,"abstract":"Authorization policy authoring has required tools from the start. With access policy governance now an executive-level responsibility, it is imperative that such a tool expose the policy to business users' with little or no IT intervention-as natural language. NIST SP 800-162 [1] first prescribes natural language policies (NLPs) as the preferred expression of policy and then implicitly calls for automated translation of NLP to machine-executable code. This paper therefore proposes an interoperable model for the NLP's human expression. It furthermore documents the research and development of a tool set for end-to-end authoring and translation. This R&D journey-focusing constantly on end users' has debunked certain myths, has responded to steadily increasing market sophistication, has applied formal disciplines (e.g. ontologies, grammars and compiler design) and has motivated an informal demonstration of autonomic code generation. The lessons learned should be of practical value to the entire ABAC community. The research in progress' increasingly complex policies, proactive rule analytics, and expanded NLP authoring language support will require collaboration with an ever-expanding technical community from industry and academia.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130408584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041051
D. Brossard, Gerry Gebel, Mark Berg
{"title":"A Systematic Approach to Implementing ABAC","authors":"D. Brossard, Gerry Gebel, Mark Berg","doi":"10.1145/3041048.3041051","DOIUrl":"https://doi.org/10.1145/3041048.3041051","url":null,"abstract":"In this paper we discuss attribute-based access control (ABAC), and how to proceed with a systematic implementation of ABAC across an enterprise. The paper will cover the different steps needed to be successful.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125254126","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041049
Antonios Gouglidis, Vincent C. Hu, J. Busby, D. Hutchison
{"title":"Verification of Resilience Policies that Assist Attribute Based Access Control","authors":"Antonios Gouglidis, Vincent C. Hu, J. Busby, D. Hutchison","doi":"10.1145/3041048.3041049","DOIUrl":"https://doi.org/10.1145/3041048.3041049","url":null,"abstract":"Access control offers mechanisms to control and limit the actions or operations that are performed by a user on a set of resources in a system. Many access control models exist that are able to support this basic requirement. One of the properties examined in the context of these models is their ability to successfully restrict access to resources. Nevertheless, considering only restriction of access may not be enough in some environments, as in critical infrastructures. The protection of systems in this type of environment requires a new line of enquiry. It is essential to ensure that appropriate access is always possible, even when users and resources are subjected to challenges of various sorts. Resilience in access control is conceived as the ability of a system not to restrict but rather to ensure access to resources. In order to demonstrate the application of resilience in access control, we formally define an attribute based access control model (ABAC) based on guidelines provided by the National Institute of Standards and Technology (NIST). We examine how ABAC-based resilience policies can be specified in temporal logic and how these can be formally verified. The verification of resilience is done using an automated model checking technique, which eventually may lead to reducing the overall complexity required for the verification of resilience policies and serve as a valuable tool for administrators.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124892226","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
ABAC '17Pub Date : 2017-03-24DOI: 10.1145/3041048.3041053
Smriti Bhatt, Farhan Patwa, R. Sandhu
{"title":"ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine","authors":"Smriti Bhatt, Farhan Patwa, R. Sandhu","doi":"10.1145/3041048.3041053","DOIUrl":"https://doi.org/10.1145/3041048.3041053","url":null,"abstract":"Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123580031","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
